Also, I know that it would be a security hole to not firewall everything off but I don't get why? Wouldn't an attacker need both my username and password or super user access to break anything in my databases?
There are three things you have to worry about with that:
- Brute-force attempts. MySQL doesn't have a delayed response time, so bots can (and absolutely will) be launched against your site to try to find those things.
- DoS attacks. In part, just having multiple bots flooding you with login attempts achieves this, but it also allows people to hold open idle connections and gives an outlet for packet fragments, SYN attacks, etc.
- You're open to future exploits. It's nice to think of MySQL as a perfectly secure service, but that's not the case and they're constantly needing to fix security holes. You're probably not updating your MySQL server from the nightly repo on a daily basis, so that means that if a big exploit comes out, your server is vulnerable and you're leaving that port wide open for anyone.
Some of those concepts carry over to other services, too -- if you're serious about security, it's always good to selectively block certain SYN requests, Xmas packets, and all of those fun things for every port on the machine. Whatever port you have SSH running on, you want the firewall set up with a rate limiter so that the same IP can't reconnect to the server within 5 seconds, which puts a ka'bosh on most brute-force attempts there (and is WAY safer for you than something like denyhosts). The general rule, though, is that the only
ports you should have open to the outside are the ones necessary for the public to connect through, and SSH. Beyond that, you're leaving the door open to some really common and quite easy attacks.
EDIT: Nevermind, my school has apparently started to block SSH . I'll have to wait till I get home.
Protip: Take a port that your school does not
block, and forward that port on your home router to your home computer's SSH port (assuming you have a non-windows machine at home). Bam, now you can SSH to your home computer and do anything you need to from there, even if your school blocks SSH. As an added benefit, you can also open an SSH tunnel through that port with a SOCKS4 interface on the school machine, and route your web traffic through it to avoid any blocks the school has in place.
For instance, if the port you're forwarding to SSH at home is '443' (the port used for https connections by default), this command will open up a local SOCKS4 proxy on port 1080 into a tunnel back home:
ssh -N -p 443 -c 3des -D 1080 username@your_home_ip
Now you just set your browser/computer's proxy settings to use SOCKS4 on localhost port 1080. Ta-da, no more blocks. Better than shitty web-based proxies any day.